Which queue applies?



  • Hello,

    From what I understood, floating rules are evaluated before interface rules. Correct?

    Now let's say, I have a floating rule with action=match, and which matches a packet (incoming on the LAN interface) with particular src IP and destination IP and then assigns queue Q1 to it.
    Now, I also have a LAN rule with action=pass, and which also matches the same packet, but assigns queue Q2 to it.

    What happens in this case?
    1. Is the queue specified by the floating rule overridden by the one specified by the LAN rule?
    2. Will this have been different if the floating rule had action=pass?

    Thanks



  • 1.  "Floating rules are parsed before rules on other interfaces."
    http://doc.pfsense.org/index.php/What_are_Floating_Rules%3F

    Therefore, we should expect the LAN rule, being secondary, to override the floating rule as it gets parsed second to the floating rule.

    2.  No.  Pass will cause traffic to actually be allowed through your firewall based on your settings.

    I keep my floating match rules separate from my pass rules.  I will create them separately to avoid confusion.



  • Hi,

    Thank you for having replied to my question.

    1. Let's say, I have a floating rule with the quick option selected, action=match, interface=LAN, direction=in, src IP=10.1.2.3, dest IP=A.B.C.D, queue=Q1. However, I do NOT have any rule on the LAN interface to actually allow (PASS) this traffic through. Will the pfSense firewall allow this packet to pass? In short, does a MATCH rule have any effect on whether a packet is blocked or allowed through the firewall?

    2. Similarly, I have a floating rule with the quick option selected, action=match, interface=LAN, direction=in, src IP=10.1.2.3, dest IP=A.B.C.D, queue=Q1. I also have a rule on the LAN interface to allow (PASS) this traffic through. The MATCH floating rule will match this packet and normally "pfsense will not attempt to filter that packet against any rule on any other interface." [Quoted from last line on [url=http://doc.pfsense.org/index.php/What_are_Floating_Rules%3F]http://doc.pfsense.org/index.php/What_are_Floating_Rules%3F].
    Question: will the pfSense firewall allow this packet to pass through?

    3. In the 2nd question above, if the PASS rule on the LAN interface does not specify a queue, while the MATCH floating rule did specify one, is the packet placed in the queue Q1, or does the PASS rule override the queue assignment and hence the packet is not placed in any queue or placed in the default queue?

    Thank you for your time.



  • 1.  No, unless your default rule is to pass traffic.  Match rules have no effect on whether traffic is passed or blocked.

    2.  Yes.  Remember, a match rule is not a filter rule.

    3.  Since the pass rule does not specify a queue, it does not get overridden.  The packet and future stateful traffic for this packet will be placed in Q1.


Log in to reply